diff --git a/docs/changes.rst b/docs/changes.rst index 990ae38f6..e596faa7b 100644 --- a/docs/changes.rst +++ b/docs/changes.rst @@ -6,6 +6,46 @@ Important notes This section provides information about security and corruption issues. +.. _broken_validator: + +Pre-1.1.4 potential data corruption issue +----------------------------------------- + +A data corruption bug was discovered in borg check --repair, see issue #3444. + +This is a 1.1.x regression, releases < 1.1 (e.g. 1.0.x) are not affected. + +To avoid data loss, you must not run borg check --repair using an unfixed version +of borg 1.1.x. The first official release that has the fix is 1.1.4. + +Package maintainers may have applied the fix to updated packages of 1.1.x (x<4) +though, see the package maintainer's package changelog to make sure. + +If you never had missing item metadata chunks, the bug has not affected you +even if you did run borg check --repair with an unfixed version. + +When borg check --repair tried to repair corrupt archives that miss item metadata +chunks, the resync to valid metadata in still present item metadata chunks +malfunctioned. This was due to a broken validator that considered all (even valid) +item metadata as invalid. As they were considered invalid, borg discarded them. +Practically, that means the affected files, directories or other fs objects were +discarded from the archive. + +Due to the malfunction, the process was extremely slow, but if you let it +complete, borg would have created a "repaired" archive that has lost a lot of items. +If you interrupted borg check --repair because it was so strangely slow (killing +borg somehow, e.g. Ctrl-C) the transaction was rolled back and no corruption occurred. + +The log message indicating the precondition for the bug triggering looks like: + + item metadata chunk missing [chunk: 001056_bdee87d...a3e50d] + +If you never had that in your borg check --repair runs, you're not affected. + +But if you're unsure or you actually have seen that, better check your archives. +By just using "borg list repo::archive" you can see if all expected filesystem +items are listed. + .. _tam_vuln: Pre-1.0.9 manifest spoofing vulnerability (CVE-2016-10099) @@ -131,14 +171,26 @@ The best check that everything is ok is to run a dry-run extraction:: Changelog ========= -Version 1.2.0dev0 (not released yet) ------------------------------------- +Version 1.2.0a2 and earlier (not released yet) +---------------------------------------------- + +Please note: + +This is code released for alpha testing (== helping us find bugs). + +It is not suitable to run against your production backup repositories! + +So, if you want to help testing, please run this code additionally to your +normal backup and use a separate, fresh repository for it. + +See there for feedback: https://github.com/borgbackup/borg/issues/4360 Compatibility notes: -- dropped support / testing for Python 3.4 and 3.5, minimum requirement is 3.6. - In case your OS does not provide Python >= 3.6, consider using our binary, +- dropped support / testing for Python 3.4, minimum requirement is 3.5. + In case your OS does not provide Python >= 3.5, consider using our binary, which does not need an external Python interpreter. + Maybe this requirement will be raised to Python 3.6 later. - freeing repository space only happens when "borg compact" is invoked. - list: corrected mix-up of "isomtime" and "mtime" formats. Previously, "isomtime" was the default but produced a verbose human format, @@ -166,16 +218,22 @@ New features: more robustness. See the docs about "borg compact" for more details. - "borg compact --cleanup-commits" is to cleanup the tons of 17byte long - commit-ony segment files caused by borg 1.1.x issue #2850. + commit-only segment files caused by borg 1.1.x issue #2850. Invoke this once after upgrading (the server side) borg to 1.2. Compaction now automatically removes unneeded commit-only segment files. - prune: Show which rule was applied to keep archive, #2886 +- add fixed blocksize chunker (see --chunker-params docs), #1086 Fixes: -- repository compaction now automatically removes unneeded 17byte commit-only - segments, #2850 - avoid stale filehandle issues, #3265 +- use more FDs, avoid race conditions on active fs, #906, #908, #1038 +- add O_NOFOLLOW to base flags, #908 +- compact: + + - require >10% freeable space in a segment, #2985 + - repository compaction now automatically removes unneeded 17byte + commit-only segments, #2850 - make swidth available on all posix platforms, #2667 Other changes: @@ -183,13 +241,21 @@ Other changes: - repository: better speed and less stuff moving around by using separate segment files for manifest DELETEs and PUTs, #3947 - use pyinstaller v3.3.1 to build binaries -- msgpack: switch to recent "msgpack" pypi pkg name, #3890 +- update bundled zstd code to 1.3.8, #4210 +- update bundled lz4 code to 1.8.3, #4209 +- msgpack: + + - switch to recent "msgpack" pypi pkg name, #3890 + - wrap msgpack to avoid future compat complications, #3632, #2738 + - support msgpack 0.6.0 and 0.6.1, #4220, #4308 + - llfuse: modernize / simplify llfuse version requirements - code refactorings / internal improvements: + - include size/csize/nfiles[_parts] stats into archive, #3241 + - calc_stats: use archive stats metadata, if available - crypto: refactored crypto to use an AEAD style API - crypto: new AES-OCB, CHACHA20-POLY1305 - - create: be less racy, use fd for xattrs, acls, bsdflags (not path), #906 - create: use less syscalls by not using a python file obj, #906, #3962 - diff: refactor the diff functionality to new ItemDiff class, #2475 - archive: create FilesystemObjectProcessors class @@ -205,13 +271,13 @@ Other changes: - item.to_optr(), Item.from_optr() - fix chunker holding the GIL during blocking I/O + - C code portability / basic MSC compatibility, #4147, #2677 - testing: - vagrant: new VMs for linux/bsd/darwin, most with OpenSSL 1.1 and py36 - -Version 1.1.6 (2018-06-11) +Version 1.1.9 (2019-02-10) -------------------------- Compatibility notes: @@ -230,6 +296,156 @@ Compatibility notes: You can avoid the one-time slowdown by using the pre-1.1.0rc4-compatible mode (but that is less safe for detecting changed files than the default). See the --files-cache docs for details. + +Fixes: + +- security fix: configure FUSE with "default_permissions", #3903 + "default_permissions" is now enforced by borg by default to let the + kernel check uid/gid/mode based permissions. + "ignore_permissions" can be given to not enforce "default_permissions". +- make "hostname" short, even on misconfigured systems, #4262 +- fix free space calculation on macOS (and others?), #4289 +- config: quit with error message when no key is provided, #4223 +- recover_segment: handle too small segment files correctly, #4272 +- correctly release memoryview, #4243 +- avoid diaper pattern in configparser by opening files, #4263 +- add "# cython: language_level=3" directive to .pyx files, #4214 +- info: consider part files for "This archive" stats, #3522 +- work around Microsoft WSL issue #645 (sync_file_range), #1961 + +New features: + +- add --rsh command line option to complement BORG_RSH env var, #1701 +- init: --make-parent-dirs parent1/parent2/repo_dir, #4235 + +Other: + +- add archive name to check --repair output, #3447 +- check for unsupported msgpack versions +- shell completions: + + - new shell completions for borg 1.1.9 + - more complete shell completions for borg mount -o + - added shell completions for borg help + - option arguments for zsh tab completion +- docs: + + - add FAQ regarding free disk space check, #3905 + - update BORG_PASSCOMMAND example and clarify variable expansion, #4249 + - FAQ regarding change of compression settings, #4222 + - add note about BSD flags to changelog, #4246 + - improve logging in example automation script + - add note about files changing during backup, #4081 + - work around the backslash issue, #4280 + - update release workflow using twine (docs, scripts), #4213 + - add warnings on repository copies to avoid future problems, #4272 +- tests: + + - fix the homebrew 1.9 issues on travis-ci, #4254 + - fix duplicate test method name, #4311 + + +Version 1.1.8 (2018-12-09) +-------------------------- + +Fixes: + +- enforce storage quota if set by serve-command, #4093 +- invalid locations: give err msg containing parsed location, #4179 +- list repo: add placeholders for hostname and username, #4130 +- on linux, symlinks can't have ACLs, so don't try to set any, #4044 + +New features: + +- create: added PATH::archive output on INFO log level +- read a passphrase from a file descriptor specified in the + BORG_PASSPHRASE_FD environment variable. + +Other: + +- docs: + + - option --format is required for some expensive-to-compute values for json + + borg list by default does not compute expensive values except when + they are needed. whether they are needed is determined by the format, + in standard mode as well as in --json mode. + - tell that our binaries are x86/x64 amd/intel, bauerj has ARM + - fixed wrong archive name pattern in CRUD benchmark help + - fixed link to cachedir spec in docs, #4140 +- tests: + + - stop using fakeroot on travis, avoids sporadic EISDIR errors, #2482 + - xattr key names must start with "user." on linux + - fix code so flake8 3.6 does not complain + - explicitly convert environment variable to str, #4136 + - fix DeprecationWarning: Flags not at the start of the expression, #4137 + - support pytest4, #4172 +- vagrant: + + - use python 3.5.6 for builds + + +Version 1.1.7 (2018-08-11) +-------------------------- + +Compatibility notes: + +- added support for Python 3.7 + +Fixes: + +- cache lock: use lock_wait everywhere to fix infinite wait, see #3968 +- don't archive tagged dir when recursing an excluded dir, #3991 +- py37 argparse: work around bad default in py 3.7.0a/b/rc, #3996 +- py37 remove loggerDict.clear() from tearDown method, #3805 +- some fixes for bugs which likely did not result in problems in practice: + + - fixed logic bug in platform module API version check + - fixed xattr/acl function prototypes, added missing ones + +New features: + +- init: add warning to store both key and passphrase at safe place(s) +- BORG_HOST_ID env var to work around all-zero MAC address issue, #3985 +- borg debug dump-repo-objs --ghost (dump everything from segment files, + including deleted or superceded objects or commit tags) +- borg debug search-repo-objs (search in repo objects for hex bytes or strings) + +Other changes: + +- add Python 3.7 support +- updated shell completions +- call socket.gethostname only once +- locking: better logging, add some asserts +- borg debug dump-repo-objs: + + - filename layout improvements + - use repository.scan() to get on-disk order +- docs: + + - update installation instructions for macOS + - added instructions to install fuse via homebrew + - improve diff docs + - added note that checkpoints inside files requires 1.1+ + - add link to tempfile module + - remove row/column-spanning from docs source, #4000 #3990 +- tests: + + - fetch less data via os.urandom + - add py37 env for tox + - travis: add 3.7, remove 3.6-dev (we test with -dev in master) +- vagrant / binary builds: + + - use osxfuse 3.8.2 + - use own (uptodate) openindiana box + + +Version 1.1.6 (2018-06-11) +-------------------------- + +Compatibility notes: + - 1.1.6 changes: - also allow msgpack-python 0.5.6.